I have just advanced to the last grade of high school (in Denmark). In this year, we all get to do one big project, where we can build/invent/create whatever we want to "solve a problem". As I study Math, IT and electronics, I would like to build something where all these 3 subjects are included. I have thought about a project for a long time, but I don't really know about how much cryptography is applied in companies, so I would like your guidance before I start working for almost a year on it.

Many big companies use enciphering algorithms to protect any third-party companies/hackers to get access to sensitive data, however, not all the algorithms are safe and easy to use. I have been thinking about this problem for a long time now, especially because I love C#, cryptography and electronics, and making a product related to this subject would be very interesting.
(This school project is "just" a school project. We don't really sell our products anyhow when we have finished them, but it will get higher ratings if it really is useful).

I have though about making a Hardware Random Number Generator connected with a program, which will XOR the file and keyfile together.
I have thought about making a simple circuit like this one, using white-noise from an NPN transistor and/or an FM radio antenna tuned to unused frequencies. I would then collect these random output bits and send them to an Arduino (An open source electronics platform), which helps us send it through to a computer via USB. I will then program an C# application that would extract the random bits from the ARDUINO and XOR it with a file that we want to encrypt (One Time Pad).

My questions are (if you assume that I started a company selling our product):

Would it be useful for companies who need to keep their data safe?

Would the files encrypted with our "product" be safe?

I am aware of many other portable HRNG (List can be found here), however none of them seem to come with a program where they can be used. Most of them seed the linux dev/random. Can we "outperform" their product? (assuming size and transfer speed is the same, and I calculated the price to be roughly 65 US dollars).

Any idea how to improve my product? What should I do different?

I hope you can answer my questions and feedback my plans for my project.
Thank you in advance for any help you can provide!

Don't forget that an attacker can blast his own radiowave stream in the frequencies you're using so as it is described it's only safe if its location is hidden. This is an awesome project and seeing that half a year has passed since your question, how are you coming along? Is there a prototype available?
–
rathMar 22 '13 at 23:34

2 Answers
2

Would it be useful for companies who need to keep their data safe?
No, a one-time-pad is only useful in very rare circumstances.
The main issue is key-management. You can only use each pad once, it's as large as the data you want to encrypt, and you need to get it to all parties in a secure way.
The direct competition of a one-time-pad is a stream cipher. They doesn't come with a proof of security, but are much easier to use, since they only have a small key(32 bytes or so) instead of a giant pad. Thanks to IVs(Just locally generate a random value of around 16 bytes) the key reuse problem is much smaller too.

Would the files encrypted with our "product" be safe?
If you manage to do everything correctly, yes. But the key management is so annoying that mistakes such as pad reuse are likely, and it's not solving a practical problem. So nobody will use it.

Can we "outperform" their product?
Hardware PRNGs are not that useful on desktop systems, since those tend to have sufficient entropy sources to seed a PRNG. Embedded systems which often suffer from entropy issues on the other hand typically can't afford a specialized HRNG module.
Intel is also working on putting a HRNG into their CPUs, and which point it'll be essentially free. You can't compete against that.

One-Time Pads only protect secrecy
Encrypting with a one-time pad only protects the secrecy of the message. It does not protect the integrity of a message. An attacker can flip bits in the cipher-text and that will flip bits in the plain-text. To protect the integrity of the message you need some sort of Message Authentication Code (MAC). This can be done with perfect security using a universal hash, but you'll burn through at least twice a much pad material.

All things considered, it's a much better option to use something like AES in GCM mode. OTPs + universal hashes sound great in theory but in practice they're so difficult to use properly that it might actually turn out to be less secure due to pad re-use etc. etc.

Minor correction: there are ways to use a universal hash to do integrity protection using a fixed number of additional bits per message. I do agree that, in practice, GCM is a much better option.
–
ponchoAug 31 '12 at 16:01

@poncho: Any pointers to how this might be done? A reference to a paper or book reference would be fine - just interested in a more efficient way to do it?
–
Simon JohnsonAug 31 '12 at 16:08

@SimonJohnson Pretty much any universal hash works fine in that way. If done correctly, an attacker has a certain chance that his forged message gets accepted, and no matter how big is computational power, he can't increase that chance. The chance increases with the message length, but you can easily choose your parameters so that it's still extremely low.
–
CodesInChaosAug 31 '12 at 16:34

@CodesInChaos - yeah, I know how a universal hash works. I'm wondering how one does it without burning at least another message's worth of pad material?
–
Simon JohnsonAug 31 '12 at 16:48

hm? If you burn 64 bytes or so(half for the initialziation, half for the masking of the final value), you push the chance of acceptance to beyond $2^{-200}$ for realistic message sizes. That should work for pretty much any universal hash, such as Poly1305 or what GCM uses.
–
CodesInChaosAug 31 '12 at 16:54